Hackers ‘could turn collaborative robots into killers’

In a blog on IOActive’s Web site, Lucas Apa, a senior security consultant with the company, describes how he and a colleague audited leading cobots, including Rethink Robotics’ Baxter and Sawyer models, and Universal Robots’ UR family.

With the Rethink robots, they found problems including authentication issues, insecure transport in protocols, and susceptibility to physical attacks. They reported this to Rethink in January, which appeared to patch the major problems in February.

With the Universal Robots’ UR3, UR5 and UR10 cobots, Apa says that IOActive has demonstrated how an attacker could chain multiple vulnerabilities together to modify the robots’ safety settings remotely, violating safety laws and “causing physical harm to the robot’s surroundings by moving it arbitrarily”.

He adds that this demonstrates “how dangerous these systems can be if they are hacked,” and that manipulating safety limits and disabling emergency buttons “could directly threaten human life”. He points out that even a UR5 arm, with a 5kg load capacity, is powerful enough to injure a person and, when running at a slow speed, would have sufficient force to fracture someone’s skull.

The IOActive researchers have posted a video on YouTube (above) which, they say, shows how six vulnerabilities in UR cobots could be exploited to change safety limits and to disable safety planes and emergency buttons and sensors, remotely via a network. The result, they say, is a cobot arm that “swings wildly about, wreaking havoc”.

According to Apa, IOActive’s goal is to make cobots more secure and to prevent vulnerabilities from being exploited by attackers to cause serious harm to industries, employees and their surroundings. “I truly hope that this blog entry moves the collaborative industry forward so we can safely enjoy this and future generations of robots,” he says.

In accordance with IOActive’s “responsible disclosure” policy, the cyber-researchers contacted Universal Robots last January, “so they have had ample time to address the vulnerabilities and inform their customers,” says Apa. But, he reports, the vulnerabilities have yet to be patched, asking: “What are we waiting for?”

• Universal Robots has issued the following statement: “One of the things that makes humans different from animals is that we have for tens of thousands of years used technology to empower us to be more than just our biology. This trajectory has made us the dominating species on our planet. Humankind has always used technology to invent and develop solutions with the main aim of improving conditions for ourselves, whether it be work-related or leisure. We have seen an amazing development over the recent years – especially within AI and robotics, the latter being our area of expertise. At Universal Robots, we make collaborative robots – called cobots – which means humans and robots work together so we work proactively with robot safety every day. We know the challenges and we know how difficult it can be. Therefore we are very aware of the risk that technology can be misused. We do not seen an imminent threat around the corner, however, as with the co-signers of the open letter, we believe that is it important to stay ahead of the curve and have an open-minded discussion and approach to defuse any potential threats. We want to make sure that humans take full advantage of technology for peaceful purposes.”